如何找出谁/什么原因导致重新启动/关闭?

如何找出谁/什么原因导致重新启动/关闭?

在运行 systemd 的 Linux 机器上,有什么方法可以查看什么或谁发出了关闭或重新启动的命令?

答案1

使用 . 检查上次启动的系统日志sudo journalctl -b -1 -e

检查/var/log/auth.log

您确定这不是“电源中断/尖峰”、“CPU 过热”之一……

在我的系统(Ubuntu 16.04,6)上,

sudo journalctl | grep shutdown
Jan 29 12:58:07 bat sudo[14365]: walt : TTY=pts/0 ; PWD=/home/walt ; USER=root ; COMMAND=/sbin/shutdown now
Feb 12 11:23:59 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:lxqt-session_system-shutdown.png: Ignored relative path
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:gshutdown_gshutdown.png: Ignored relative path
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:mate-gnome-main-menu-applet_system-shutdown.png: Ignored relative path
Feb 27 16:45:40 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes...
Mar 05 17:53:27 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes...
Mar 15 09:57:45 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Mar 21 17:40:30 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Apr 15 18:16:37 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
...

第一行显示用户walt执行操作的时间sudo shutdown now

答案2

简而言之,仅用户或root特权用户可以关闭/重启系统。

  1. 运行last -x命令来查找操作的时间戳
root@personal:~# last -x
ubuntu   pts/0        116.102.181.245  Wed Dec 18 16:28   still logged in
runlevel (to lvl 5)   4.15.0-1047-aws  Wed Dec 18 16:27   still running
reboot   system boot  4.15.0-1047-aws  Wed Dec 18 16:27   still running
shutdown system down  4.15.0-1047-aws  Wed Dec 18 16:27 - 16:27  (00:00)
ubuntu   pts/0        116.102.181.245  Wed Dec 18 16:25 - 16:27  (00:02)
runlevel (to lvl 5)   4.15.0-1047-aws  Wed Dec 18 16:24 - 16:27  (00:03)
  1. 根据last -x结果​​,找到一些最近登录的用户,切换到该用户并检查历史记录
root@personal:~# su - ubuntu
ubuntu@personal:~$ history 10
  312  dig @1.1.1.1 xxx +short
  313  dig @8.8.8.8 xxx +short
  314  dig @8.8.4.4 xxx +short
  315  exit
  316  sudo su -
  317  sudo reboot
  318  sudo su -
  319  history
  320  last -x
  321  history 10
  1. 或者检查日志journalctl
root@personal:~# journalctl | grep reboot
Sep 05 03:07:04 ip-172-31-36-28 cron[710]: (CRON) INFO (Running @reboot jobs)
Sep 05 13:49:11 personal python3[21347]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None
Sep 05 13:51:23 personal python3[22042]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None
Sep 05 13:54:21 personal systemd-logind[715]: System is rebooting (Reboot initiated by Ansible).
Sep 05 13:54:36 personal cron[573]: (CRON) INFO (Running @reboot jobs)
Dec 18 16:24:30 personal cron[651]: (CRON) INFO (Running @reboot jobs)
Dec 18 16:27:36 personal sudo[915]:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/sbin/reboot
Dec 18 16:27:54 personal cron[641]: (CRON) INFO (Running @reboot jobs)

顺便说一句,您可以通过以下链接查看更多信息:

相关内容